Utils
Hashing, random credential generation, file and wordlist helpers, and self-modifying scripts.
Hashing (md5 / sha / hmac)
Common when a password/token field is hashed client- or server-side before comparison.
import hashlib, hmac
hashlib.md5(b"pass").hexdigest()
hashlib.sha256(b"pass").hexdigest()
hmac.new(b"key", b"msg", hashlib.sha256).hexdigest()Find by: hash, md5, sha1, sha256, hashlib, hmac, digest, password hash, checksum, sign
Random username / password generator
Throwaway creds for self-registration chains; unique each run so re-runs do not collide.
import random, string
username = "".join(random.choices(string.ascii_lowercase, k=8))
password = "".join(random.choices(string.ascii_letters + string.digits + string.punctuation, k=14))Find by: random, username, password, registration, unique, choices, string, ascii, generate creds, throwaway account · Source: CWEE/Second Order, PG
File read / write / wordlist iterate
Streams a wordlist line by line and writes payloads/loot to disk; wordlist lines are always stripped with strip().
# write
with open("script.sh", "w") as f:
f.write(payload)
# read whole file
data = open("loot.txt").read()
# iterate a wordlist (memory-safe)
with open(WORDLIST) as f:
for line in f:
word = line.strip()
if word:
...Find by: file, read, write, open, wordlist, lines, save, load, payload file, iterate, strip, with open · Source: CWEE/timing enum
Self-modifying script (persist state in file)
Useful for multi-stage chains: rewrites a constant in the script’s own source so the next run resumes.
def update_constant(new_value):
with open(__file__, "r") as f:
content = f.read()
content = content.replace(f'USERNAME = "{USERNAME}"', f'USERNAME = "{new_value}"')
with open(__file__, "w") as f:
f.write(content)
print(f"[+] Persisted USERNAME = {new_value}")Find by: self modify, file, persist state, rewrite script, second order, update constant, save progress, in place · Source: CWEE/Second Order LFI